Do CISOs Belong on Leadership Team? Execs Say No

Aug 26, 2015

Cybersecurity solutions company ThreatTrack Security reveals in its “CISO Role Still in Flux” whitepaper that chief information security officers (CISOs) have made modest gains in commanding corporate respect, but hurdles still exist.

The survey of 200 C-level executives shows that although 79% of respondents believe their board of directors already has or should have a cybersecurity expert, 75% said that the CISO did not “deserve a seat at the table” nor should it “be part of an organization's leadership team.” That represents a similar view to 2014, in which 74% of executives viewed CISOs the same way.

The survey also shows that organizations have not given CISOs full authority over strategy and purchasing. Just 38% of the respondents answered that CISOs should be responsible and accountable for all information security strategies and cybersecurity technology purchasing decisions, down from 44% in 2014.

ThreatTrack Security points out that CISOs are still often viewed as scapegoats for data breaches; 47% of the respondents said CISOs “should be held accountable for any organizational data breaches,” compared with 44% in 2014.

The whitepaper notes that these attitudes likely stem from executive views on what a CISO’s primary function should be: More than half of respondents (51%) said the CISO position should be advisory and “provide valuable guidance to senior leadership related to cybersecurity,” while just 27% said CISOs think outside of the box and “typically possess broad awareness of organizational objectives and business needs outside of information security.”

There is a silver lining, however, as more executives are open to the idea of CISOs taking roles outside of the position’s normal purview. According to the whitepaper, 62% of executives said they believe their CISO “would be successful in taking another leadership role, outside of information security.” That’s up 23% over 2014.